Moderate severityNVD Advisory· Published Mar 16, 2007· Updated Apr 23, 2026
CVE-2007-0450
CVE-2007-0450
Description
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 5.0, < 5.5.22 | 5.5.22 |
org.apache.tomcat:tomcatMaven | >= 6.0, < 6.0.10 | 6.0.10 |
Affected products
2- cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
Patches
3ec7ff880dbc2Merged revision 1203091 from tomcat/trunk:
2 files changed · +23 −4
java/org/apache/tomcat/util/buf/UDecoder.java+19 −4 modified@@ -92,7 +92,7 @@ public void convert( ByteChunk mb, boolean query ) idx=idx2; } - boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); for( int j=idx; j<end; j++, idx++ ) { if( buff[ j ] == '+' && query) { @@ -160,6 +160,8 @@ public void convert( CharChunk mb, boolean query ) idx=idx2; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + for( int j=idx; j<cend; j++, idx++ ) { if( buff[ j ] == '+' && query ) { buff[idx]=( ' ' ); @@ -179,6 +181,9 @@ public void convert( CharChunk mb, boolean query ) j+=2; int res=x2c( b1, b2 ); + if (noSlash && (res == '/')) { + throw EXCEPTION_SLASH; + } buff[idx]=(char)res; } } @@ -206,7 +211,11 @@ public void convert(MessageBytes mb, boolean query) if( strValue==null ) { return; } - mb.setString( convert( strValue, query )); + try { + mb.setString( convert( strValue, query )); + } catch (RuntimeException ex) { + throw new DecodeException(ex.getMessage()); + } break; case MessageBytes.T_CHARS: CharChunk charC=mb.getCharChunk(); @@ -236,6 +245,8 @@ public final String convert(String str, boolean query) return str; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + StringBuilder dec = new StringBuilder(); // decoded string output int strPos = 0; int strLen = str.length(); @@ -273,8 +284,12 @@ public final String convert(String str, boolean query) // We throw the original exception - the super will deal with // it // try { - dec.append((char)Integer. - parseInt(str.substring(strPos + 1, strPos + 3),16)); + char res = (char) Integer.parseInt( + str.substring(strPos + 1, strPos + 3), 16); + if (noSlash && (res == '/')) { + throw new IllegalArgumentException("noSlash"); + } + dec.append(res); strPos += 3; } }
webapps/docs/changelog.xml+4 −0 modified@@ -237,6 +237,10 @@ HTTP response code when rejecting denied request. E.g. 404 instead of 403. (kkolinko) </add> + <fix> + Slightly improve performance of UDecoder.convert(). Align + <code>%2f</code> handling between implementations. (kkolinko) + </fix> </changelog> </subsection> <subsection name="Coyote">
0c5ec5b958f1- Align %2f handling (aka CVE-2007-0450 fix) between implementations of UDecoder.convert().
1 file changed · +19 −4
java/org/apache/tomcat/util/buf/UDecoder.java+19 −4 modified@@ -92,7 +92,7 @@ public void convert( ByteChunk mb, boolean query ) idx=idx2; } - boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); for( int j=idx; j<end; j++, idx++ ) { if( buff[ j ] == '+' && query) { @@ -160,6 +160,8 @@ public void convert( CharChunk mb, boolean query ) idx=idx2; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + for( int j=idx; j<cend; j++, idx++ ) { if( buff[ j ] == '+' && query ) { buff[idx]=( ' ' ); @@ -179,6 +181,9 @@ public void convert( CharChunk mb, boolean query ) j+=2; int res=x2c( b1, b2 ); + if (noSlash && (res == '/')) { + throw EXCEPTION_SLASH; + } buff[idx]=(char)res; } } @@ -206,7 +211,11 @@ public void convert(MessageBytes mb, boolean query) if( strValue==null ) { return; } - mb.setString( convert( strValue, query )); + try { + mb.setString( convert( strValue, query )); + } catch (RuntimeException ex) { + throw new DecodeException(ex.getMessage()); + } break; case MessageBytes.T_CHARS: CharChunk charC=mb.getCharChunk(); @@ -236,6 +245,8 @@ public final String convert(String str, boolean query) return str; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + StringBuilder dec = new StringBuilder(); // decoded string output int strPos = 0; int strLen = str.length(); @@ -273,8 +284,12 @@ public final String convert(String str, boolean query) // We throw the original exception - the super will deal with // it // try { - dec.append((char)Integer. - parseInt(str.substring(strPos + 1, strPos + 3),16)); + char res = (char) Integer.parseInt( + str.substring(strPos + 1, strPos + 3), 16); + if (noSlash && (res == '/')) { + throw new IllegalArgumentException("noSlash"); + } + dec.append(res); strPos += 3; } }
19ec1ccd17fb- Align %2f handling (aka CVE-2007-0450 fix) between implementations of UDecoder.convert().
1 file changed · +19 −4
java/org/apache/tomcat/util/buf/UDecoder.java+19 −4 modified@@ -92,7 +92,7 @@ public void convert( ByteChunk mb, boolean query ) idx=idx2; } - boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); for( int j=idx; j<end; j++, idx++ ) { if( buff[ j ] == '+' && query) { @@ -160,6 +160,8 @@ public void convert( CharChunk mb, boolean query ) idx=idx2; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + for( int j=idx; j<cend; j++, idx++ ) { if( buff[ j ] == '+' && query ) { buff[idx]=( ' ' ); @@ -179,6 +181,9 @@ public void convert( CharChunk mb, boolean query ) j+=2; int res=x2c( b1, b2 ); + if (noSlash && (res == '/')) { + throw EXCEPTION_SLASH; + } buff[idx]=(char)res; } } @@ -206,7 +211,11 @@ public void convert(MessageBytes mb, boolean query) if( strValue==null ) { return; } - mb.setString( convert( strValue, query )); + try { + mb.setString( convert( strValue, query )); + } catch (RuntimeException ex) { + throw new DecodeException(ex.getMessage()); + } break; case MessageBytes.T_CHARS: CharChunk charC=mb.getCharChunk(); @@ -236,6 +245,8 @@ public final String convert(String str, boolean query) return str; } + final boolean noSlash = !(ALLOW_ENCODED_SLASH || query); + StringBuilder dec = new StringBuilder(); // decoded string output int strPos = 0; int strLen = str.length(); @@ -273,8 +284,12 @@ public final String convert(String str, boolean query) // We throw the original exception - the super will deal with // it // try { - dec.append((char)Integer. - parseInt(str.substring(strPos + 1, strPos + 3),16)); + char res = (char) Integer.parseInt( + str.substring(strPos + 1, strPos + 3), 16); + if (noSlash && (res == '/')) { + throw new IllegalArgumentException("noSlash"); + } + dec.append(res); strPos += 3; } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
70- docs.info.apple.com/article.htmlnvdThird Party AdvisoryWEB
- lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.vmware.com/pipermail/security-announce/2008/000003.htmlnvdThird Party AdvisoryWEB
- secunia.com/advisories/24732nvdThird Party Advisory
- secunia.com/advisories/25106nvdThird Party Advisory
- secunia.com/advisories/25280nvdThird Party Advisory
- secunia.com/advisories/26235nvdThird Party Advisory
- secunia.com/advisories/26660nvdThird Party Advisory
- secunia.com/advisories/27037nvdThird Party Advisory
- secunia.com/advisories/28365nvdThird Party Advisory
- secunia.com/advisories/30899nvdThird Party Advisory
- secunia.com/advisories/30908nvdThird Party Advisory
- secunia.com/advisories/33668nvdThird Party Advisory
- security.gentoo.org/glsa/glsa-200705-03.xmlnvdThird Party AdvisoryWEB
- securityreason.com/securityalert/2446nvdThird Party Advisory
- support.avaya.com/elmodocs2/security/ASA-2007-206.htmnvdThird Party Advisory
- support.ca.com/irj/portal/anonymous/phpsupcontentnvdBroken LinkThird Party Advisory
- tomcat.apache.org/security-4.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-5.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-6.htmlnvdVendor AdvisoryWEB
- www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.htmlnvdThird Party Advisory
- www.mandriva.com/security/advisoriesnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2007-0327.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2007-0360.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2008-0261.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/462791/100/0/threadednvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/archive/1/485938/100/0/threadednvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/archive/1/500396/100/0/threadednvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/archive/1/500412/100/0/threadednvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/22960nvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/25159nvdThird Party AdvisoryVDB Entry
- www.vupen.com/english/advisories/2007/0975nvdThird Party Advisory
- www.vupen.com/english/advisories/2007/2732nvdThird Party Advisory
- www.vupen.com/english/advisories/2007/3087nvdThird Party Advisory
- www.vupen.com/english/advisories/2007/3386nvdThird Party Advisory
- www.vupen.com/english/advisories/2008/0065nvdThird Party Advisory
- www.vupen.com/english/advisories/2008/1979/referencesnvdThird Party Advisory
- www.vupen.com/english/advisories/2009/0233nvdThird Party Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/32988nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-4prh-gqw8-rgh5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-0450ghsaADVISORY
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10643nvdThird Party Advisory
- community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxnvdBroken Link
- h20000.www2.hp.com/bizsupport/TechSupport/Document.jspnvdBroken Link
- sunsolve.sun.com/search/document.donvdBroken Link
- www.novell.com/linux/security/advisories/2007_15_sr.htmlnvdBroken Link
- www.novell.com/linux/security/advisories/2007_5_sr.htmlnvdBroken Link
- www.sec-consult.com/287.htmlnvdBroken Link
- www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txtnvdBroken Link
- github.com/apache/tomcat/commit/0c5ec5b958f1b59840ee155a23ab409755b039f6ghsaWEB
- github.com/apache/tomcat/commit/19ec1ccd17fbb98511bc1c12b255253c4f48b85fghsaWEB
- github.com/apache/tomcat/commit/ec7ff880dbc28b313bf3a2b1914f6f0371489793ghsaWEB
- lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.